�� 5 �� ʹ��֤��Կ

��½��ʹ��֤��Կ��֤4ȷ�� Sun Java System Web Proxy Server �İ�ȫ�ԡ�Proxy Server �� Sun Java System ��İ�ȫ��ϵ�ṹ��b��ҵ��׼�͹��Э��֮�ϣ��Ի�ȡ��̶ȵĻ��Ժ�һ��ԡ�

��¼��Ϥ��Կ��ܵĻ����(��ܺͽ��ܡ��Կ��ר��Կ��֤��ͼ��Э�顣�йظ��Ϣ��μ� Introduction to SSL��

��֤��֤

��֤��ȷ��ݵĹ�̡��罻��У��֤��һ��һ��ʶ��Ĺ�̡�֤��֧��֤��һ�ַ��

֤��а��ָ��ˡ��˾��ʵ��ƣ��֤��֤��а�Ĺ��Կ��ڸ�ʵ�塣

�ͻ��ͷ��ӵ��֤�顣��ָ֤�ͻ��Է��е��ʶ�𣨶Ա��ΪҪ��λ��ض��ַ�ķ��֯��ʶ�𣩡��ͻ��ָ֤��Կͻ��е��ʶ�𣨶Ա��Ϊʹ�ÿͻ��Ա��ʶ�𣩡��ͻ��ж��֤�飬��ͬһ��˿��м��ͬ��һ��

֤��֤��Ȩ�� (CA) �䷢��ǩ��CA ��ǳ��֤��Ĺ�˾��Ҳ��Ǹ��Ϊ��˾��j��j��䷢֤��Ĳ��š��Խ��ε� CA ȷ��Ϊ��û��ݵ��֤��

��Կ��֤��ʶ��ʵ��֮�⣬֤�黹��(��ڡ��䷢��֤�� CA ��ƺͰ䷢��֤�� CA ��ǩ��


ע	�ڼ��֮ǰ��밲װ��֤�顣

��ݿ�

��֤��֮ǰ��봴��һ��ݿ⡣�� Proxy Server �У�Administration Server ��ÿ��ʵ��ӵ��Լ��ݿ⡣��ݿ�ֻ��ڱ��ؼ��ϴ��

��ݿ�ʱ��Ҫָ��Կ��ļ��Ŀ����Ҫ�˿��4��ʹ�ü��ͨ�ŵķ��й�ѡ��ʱ��ע��б?�μ�ѡ��ǿ�Ŀ��

��ݿ��У��Դ��洢��Կ��ר��Կ��Ϊ��Կ��ļ��Կ��ļ�� SSL ��ܡ��Ͱ�װ��֤��ʱ��õ��Կ��ļ��װ֤��֮��֤�齫�洢��ݿ��С�

Administration Server ��ֻ��һ��ݿ⡣ÿ��ʵ��ӵ��Լ��ݿ⡣

��ݿ�

ʹ�� password.conf

Ĭ��£�Proxy Server ��֮ǰ��ʾ��Ա��Կ��ݿ��Ҫ��˲�� Proxy Server��뽫���� password.conf �ļ��С��ϵͳ�ܵ��ֱ��ʱ�ſ��ļ��Կ��ݿ��⵽�ƻ��

ͨ��޷�ʹ�� /etc/rc.local �� /etc/inittab �ļ�� SSL �� UNIX ��Ϊ�÷��֮ǰҪ����ܿ��ͨ��Դ��ı��ʽ�洢��ĳ��ļ��4�Զ�� SSL �ķ��鲻Ҫʹ��ַ�� password.conf �ļ�Ӧ�鳬��û��װ��û��У��ֻ��߾��д��ļ��Ķ�дȨ�ޡ�

�� UNIX �ϣ�� SSL �ķ��Ŀ���� password.conf �ļ��л��4�ܴ�İ�ȫ��ա��κο��Է��ʸ��ļ��û��Ȩ�� SSL �ķ��Ŀ���� SSL �ķ��Ŀ���� password.conf �ļ��֮ǰ��뿼�ǿ��ܴ�4�İ�ȫ��ա�

�� Windows �ϣ��װ�� NTFS �ļ�ϵͳ��Ӧ��ƶ԰� password.conf �ļ��ʹ��ʹ�ø��ļ��Ŀ¼�ķ��Ȩ�ޣ��Ա��ļ��Ŀ¼��Administration Server �û�� Proxy Server �û�Ӧ�þ��жԸ�Ŀ¼�Ķ�дȨ�ޡ��Ŀ¼��Է�ֹ��û��α password.conf �ļ��޷�ͨ��ƶ� FAT �ļ�ϵͳ�ϵ�Ŀ¼��ļ��ķ��Ȩ��4��ǡ�

�Զ�� SSL �ķ��

��ʹ�� password.conf �ļ�֮�� Proxy Server ʱʼ�ջ��յ��ʾ��

��Ͱ�װ VeriSign ֤��

VeriSign �� Proxy Server ��ѡ��֤��Ȩ��ù�˾�ļ��ɼ�֤��̡�VeriSign ��ܹ�ֱ�ӽ�֤�鷵�ط��

Ϊ��֤��ݿ��һ��֤�鲢��ύ�� CA��֤��Ȩ��˾��Լ��ڲ� CA��ò��֤�顣��ҵ CA ��֤�飬��ѡ��һ�� CA ��Ҫ��ض��ʽ��Ϣ��

Administration Server ��ֻ��һ��֤�顣ÿ��ʵ��ӵ��Լ��ķ��֤�顣

�� VeriSign ֤��

��װ VeriSign ֤��

��Ͱ�װ��֤��

�� VeriSign �⣬��Դ��֤��Ȩ��Ͱ�װ֤�顣��Ĺ�˾��֯��ܻ��ṩ�Լ��ڲ�֤�顣��ڽ��Ͱ�װ��͵ķ��֤�顣

�� CA ��Ϣ

��ʼ��֮ǰ��ȷ��˽� CA ��Ϣ��Ϣ�ĸ�ʽ�� CA ��죬��ͨ��ṩ��г��Ϣ��ע�⣬֤��ͨ��Ҫ��Щ��Ϣ�еĴ󲿷��ݡ�

Requestor name����֤��ߵ��ơ�

Telephone number����ߵĵ绰��롣

Common name��DNS ��ʹ�õ�ȫ�޶��磬www.example.com��

Email address���� CA ֮��ͨ��jϵʱʹ�õ��ҵ��ʼ��ַ��

Organization����Ĺ�˾��֯�ȵ��ʽ��ơ�� CA Ҫ��ʹ�÷��ļ��Ӫҵִ�ո��֤ʵ��Ϣ��

Organizational unit����˾�ڲ��֯��λ��˵��

Locality����֯��ڳ��С��߹��/��˵��

State or Province����ҵ��ڵ��ݻ�ʡ��

Country��ڹ��/��Ƶ�˫�ַ��д��ISO ��ʽ��磬�9�Ĺ�Ҵ��Ϊ US��

��Щ��Ϣ��Ϊһϵ��ֵ�ԣ��Ϊ��ʶ�� (DN)��Ψһ��ʶ֤��⡣

��ҵ CA ��֤�飬�� CA �䷢֤��֮ǰ��֮j�磬�Բ��Ϣ�� CA ��Ҫ��ṩ��֤��磬CA ��Ҫ��֤��Ĺ�˾��ƺ͹�˾��Ȩ��û��ҿ��ܻ�ѯ��Ƿ��ʹ��ṩ��Ϣ�ĺϷ�Ȩ��

ĳЩ��ҵ CA ��߽�Ϊ��ϸ��֤��֯��ṩ��ݸ�Ϊ��ϸ�Ҿ�ȷ��֤�顣��磬��֤��ܻ�� CA ��֤ʵ�� www.example.com ��ĺϷ��Ա��Ĺ�˾��ҵ��Ѵ��ش�ͻ��ϰ��

��֤��

�� "Administration Server" �� "Server Manager"��Ȼ�󵥻� "Security" ѡ���

�� "Request Certificate" t�ӡ�

ָ��һ��֤�飬��֤��¡��֤��һ��ʱ�䣨��»�һ�꣩��ᵽ�ڡ�ĳЩ CA ��Զ��֤��¡�

ָ��֤��ύ��ʽ��

Ҫʹ�õ��ʼ��ύ��룬��ѡ�� "CA Email Address"��Ȼ��ڴ��Ӧ��ʼ��ַ��

Ҫʹ�� CA �� Web վ��ύ��룬��ѡ�� "CA URL"��Ȼ��ڴ��Ӧ URL��

�� "Cryptographic Module" ��-ʽ�б��У�ѡ��֤��ʱ��Կ��ļ�Ҫʹ�õļ��ģ�顣

��Կ��ļ��Ŀ����ѡ�� "Internal" ֮��ļ��ģ�飬��ÿ��ݿ�ʱָ��Ŀ����ʹ�øÿ��ȡר��Կ��ܷ��͸� CA ��Ϣ��Ȼ��Ĺ��Կ�ͼ��ܵ��Ϣ��͸� CA��CA ʹ�ù��Կ4��Ϣ��

��ʶ��Ϣ��͵绰��롣��Ϣ�ĸ�ʽ�� CA ��졣��ע�⣬֤��ͨ��Ҫ��Ϣ�еĴ󲿷��ݡ�

��ϸ��Ϣ��ȷ��׼ȷ��Ȼ�󵥻� "OK"��ϢԽ׼ȷ��׼֤��ٶȿ��ܾ�Խ�졣��뽫��֤��ύ��ǰ��ʾ��?��Ϣ��

��ɰ��Ϣ��֤��롣��а�ʹ��ר��Կ��ǩ��CA ʹ��ǩ��֤��ӷ��·�� CA �Ĺ��Ƿ�δ��۸ġ��£��뱻�۸�ʱ��CA ͨ��ͨ��绰��j�硣

��ѡ��ͨ��ʼ��룬��׫д��ĵ��ʼ��Ϣ��Ϣ��͸� CA��ͨ��֤��ͨ��ʼ��ء��ָ��ָ��֤�� URL��ʹ�ô� URL ��֤��ύ��롣��յ��ʼ��ʽ�Ĵ𸴣��巽ʽ�� CA ��졣

�� CA ͬ��䷢֤�飬��֪ͨ��У�CA ��ʹ�õ��ʼ��֤�顣��֯ʹ��֤��ʹ��֤��ı?4��֤�顣

�յ�֤��󼴿ɰ�װ��ڴ��ڼ䣬��Կ�ʹ��δ��װ SSL �� Proxy Server��

��װ��֤��

�� CA �յ�֤��ʱ��֤��ͨ��Ĺ��Կ��ܣ��ֻ��Խ��ܡ�ֻ��ȷ��ݿ����ܽ��ܺͰ�װ֤�顣

֤��t��ɸ�֤��Ȩ��4�ǩ��һϵ�зֲ�֤�顣CA ֤��ڱ�ʶ֤��Ȩ��Լ�ǩ��ɸû�䷢��֤�顣��4��CA ֤��ֿ��ɸ� CA �� CA ֤��ǩ��4��ƣ�ֱ�� CA��

�� CA �յ�֤��ʱ��֤��ͨ��Ĺ��Կ��ܣ��ֻ��Խ��ܡ��װ֤��ʱ��Proxy Server ��ʹ��ָ��Կ��ļ��֤�顣��в��Խ��ʼ��ڷ��ɷ��ʵ�λ�ã�Ҳ��Ը��Ƶ��ʼ��ı��׼��ճ�� "Install Certificate" �?�С�

��װ��֤��


ע	��д��ҵ CA ��֤��û��֤�顣�ܶ� CA �ڰ䷢֤��֮ǰ��Ҫ��ṩ��֤��ң��Ҫһ�쵽��ܵ�ʱ��ܻ��׼��ʱ�� CA �ṩ��б��Ϣ��


ע	�� CA δ�Զ��֤�飬��롣�ܶ� CA ��ǵ�֤��֤��ڵ��ʼ��һ��ͣ��ķ��ͬʱ��װ��}��֤�顣

�� "Administration Server" �� "Server Manager"��Ȼ�󵥻� "Security" ѡ���

�� "Install Certificate" t�ӡ�

�� "Certificate For" �ԣ�ѡ��Ҫ��װ��֤��ͣ�

This Server

Server Certificate Chain

Certification Authority

�й��ض��õĸ��Ϣ��μ�j��

��-ʽ�б��ѡ��ģ�顣

��Կ��ļ��

�ڲ�� 3 ��ѡ�� "Server Certificate Chain" �� "Certification Authority" ʱ��֤��ơ�

ͨ��ִ��²��֮һ��ṩ֤��Ϣ��

ѡ�� "Message Is In This File"��Ȼ��뺬�� CA ֤��ļ��·��

ѡ�� "Message Text (with headers)"��Ȼ��Ʋ�ճ�� CA ֤��ݡ�ȷ�� "Begin Certificate" �� "End Certificate" ��ͷ��ʼ��ֹl�ַ�

�� "OK"��

ѡ��һѡ�

"Add Certificate"��Ҫ��װ�µ�֤�飩��

"Replace Certificate"��Ҫ��װ֤��£��

Ǩ��֤��

�� Sun ONE Web Proxy Server 3.6��Ҳ��Ϊ iPlanet Web Proxy Server��Ǩ�Ƶ� Sun Java System Web Proxy Server 4 ʱ��(��ݿ��֤��ݿ��ڵ��ļ��Զ��¡�

��ȷ�� Proxy Server 4 Administration Server �Ծɵ� 3.x ��ݿ��ļ��ж�ȡȨ�ޡ��Щ�ļ��λ�� 3.x_server_root/alias Ŀ¼�е� alias-cert.db �� alias-key.db��

ֻ�жԷ��˰�ȫ��ʱ��Ǩ��Կ��ļ��֤�顣Ҳ��ʹ�� Administration Server �� Server Manager �� "Security" ѡ��µ� "Migrate 3.x Certificates" ѡ��Զ�Ǩ��Կ��֤�顣�й��ض��õ��Ϣ��μ�j��

��ǰ�İ汾�У�֤��Կ��ļ�ͨ��ɶ��ʵ��ʹ�õı��֡�Administration Server ��б��ί��֤�顣�� Sun Java System Web Proxy Server 4 �У�Administration Server ��ÿ��ʵ��Լ��֤��Կ��ļ��Ϊ��ݿ��Ǳ��

�� Administration Server ��ԣ�ͨ�� Administration Server ��ݿ⼰��ί��֤�飬��ڷ��ʵ��ͨ�� Server Manager ��й��?֤��Կ��ݿ��ļ��ڰ�ʹ��ǵķ��ʵ��ǰ�İ汾�У��ʵ��ͬһ��Ǩ��ʱ��Ϊ�·��ʵ��֤��Կ��ļ��

ϵͳ��Ǩ��ʵ��j��ݿ⡣��ǰ��ݿ��г�� CA ��Ǩ�Ƶ� Proxy Server 4 ��ݿ��С��ظ�� CA��ʹ��ǰ�� CA��ֱ��ڡ��벻Ҫɾ��ظ�� CA��

Proxy Server 3.x ֤��Ǩ�Ƶ�֧�ֵ��簲ȫ�Է�� (NSS) ��ʽ��ݷ��֤��ʱʹ�õ� "Proxy Server" ҳ��֤�飨�� "Administration Server Security" ѡ��� "Server Manager Security" ѡ���

Ǩ��֤��

ʹ��ø�֤��ģ��

Proxy Server ��Ķ�̬��װ��֤��ģ�� CA �ĸ�֤�飬��( VeriSign��ͨ��һ��֤��ģ�飬��Ը��׵ؽ��֤��߰汾��ǰ��һɾ��ɵĸ�֤�飬Ȼ��һ��װ��֤�顣��ڣ�Ҫ��װ��õ� CA ֤�飬ֻ��ͨ�� Proxy Server �ĺ��汾��°汾�ĸ�֤��ģ��ļ�ʱ��ԭ��֤��ģ��ļ��µ��°汾��ɡ�

��Ϊ��֤��Ϊ PKCS #11 ��ģ��ʵ�ֵģ��޷�ɾ��ģ��ĸ�֤�飬��Щ֤��ʱҲ��ṩɾ��֤��ѡ�Ҫ�ӷ��ʵ��ɾ��֤�飬��ͨ��ɾ�� alias �ļ��е��4��ø�֤��ģ�飺

��Ժ�Ҫ�ָ��֤��ģ�飬�ɽ�)չ�� server_root/bin/proxy/lib (UNIX) �� server_root\bin\proxy\bin (Windows) ��ƻ� alias ��Ŀ¼��

��޸ĸ�֤��Ϣ��Ϣ��д��༭�ķ��ʵ��֤��ݿ��У��Ƿ��ظ�֤��ģ�鱾�?

��֤��

��Բ鿴��ɾ��༭��ϰ�װ�ĸ��֤��á��а�(��Լ��֤��4�� CA ��֤�顣

��֤��

�� "Administration Server" �� "Server Manager"��Ȼ�󵥻� "Security" ѡ���

�� "Manage Certificates" t�ӡ�

��Ҫʹ��ڲ��ģ��Ĭ��õ�֤�飬��ʾ��Ѱ�װ֤��б?��а�(֤��ͺͽ�ֹ��ڡ��֤�鶼�洢�� server_root/alias Ŀ¼�С�

��ʹ��Ӳ��ⲿ��ģ�飬��Ϊÿ��ض�ģ��Ȼ�󵥻� "OK"��֤��б?��£��Լ��ģ��֤�顣

��Ҫ��֤��ơ��漴��ʾһ��ҳ�棬��д��֤��Ĺ��ѡ�ֻ�� CA ֤��û�ȡ��ÿͻ��Ρ�ĳЩ�ⲿ��ģ�鲻��ɾ��֤�顣

ָ��ѡ��£�

"Delete Certificate" �� "Quit"��ڲ��õ�֤�飩

"Set client trust"��"Unset server trust" �� "Quit"�� CA ֤�飩

֤��Ϣ�а��ߺͰ䷢֤��Ļ�ͨ��ã��ÿͻ��λ�ȡ��÷��Ρ�� LDAP ��֤�飬��뱻��Ρ�

��װ�͹�� CRL �� CKL

֤�鳷��б� (CRL) ��𻵵��Կ�б� (CKL) �ܹ��г�ͻ��û�Ӧ��ε��֤��Կ��֤��е��ݷ��仯��磬ĳλ�û��֤�鵽��֮ǰ��˰칫�һ��뿪��֯��֤�齫��أ��ݽ��ʾ�� CRL �С��Կ��Ļ��ܵ�ĳ�̶ֳȵ��𻵣��Կ��ݽ��ʾ�� CKL �С�CRL �� CKL �� CA ��ɲ��ڸ��¡��j��ָ�� CA��ȡ��Щ�б?

��װ CRL �� CKL

�� CA �� CRL �� CKL ��ص��Ŀ¼��

�� "Administration Server" �� "Server Manager"��Ȼ�󵥻� "Security" ѡ���

�� "Install CRL/CKL" t�ӡ�

ѡ��һѡ�

Certificate Revocation List

Compromised Key List

��j�ļ��·��Ȼ�󵥻� "OK"��ʾ "Add Certificate Revocation List" �� "Add Compromised Key List" ҳ�棬�г� CRL �� CKL ��Ϣ��ݿ��Ѵ�� CRL �� CKL��ʾ "Replace Certificate Revocation List" �� "Replace Compromised Key List" ҳ�档

��ӻ��滻 CRL �� CKL��

�� CRL �� CKL

�� "Administration Server" �� "Server Manager"��Ȼ�󵥻� "Security" ѡ���

�� "Manage CRL/CKL" t�ӡ��ʾ "Manage Certificate Revocation Lists"/"Compromised Key Lists" ҳ�棬�г��Ѱ�װ�� CRL �� CKL ��ֹ��ڡ�

�� "Server CRLs" �� "Server CKLs" �б��ѡ��֤�顣

ѡ�� "Delete CRL" �� "Delete CKL" ɾ�� CRL �� CKL��ѡ�� "Quit" ��ع��ҳ�档

��ð�ȫ��ѡ��

��֤��󣬼��ɿ�ʼȷ��İ�ȫ��籾��Sun Java System Web Proxy Server �ṩ��లȫԪ�ء�

��ת��Ϣ��ʹ��Ԥ�ڽ��κ��˶��޷�ʶ��Ϣ�Ĺ�̡��Ǳ任��Ϣ��ʹ��¿ɱ�ʶ��Ĺ�̡�Proxy Server ֧�ְ�ȫ�׽��ֲ� (SSL) �ʹ��㰲ȫ�� (TLS) ��Э�顣

��㷨��һ��ڼ��ܻ��ܵ��㷨��һ��ѧ��SSL �� TLS Э��˶��㷨�׼��ĳЩ��㷨��㷨��ǿ�󡢸�ȫ��һ��ԣ��㷨ʹ�õ�λԽ�࣬��ݽ��Խ�ѡ�

��κ�˫��ܹ��У�˫��ʹ��ͬ�ļ��㷨��ڿ��ʹ�ö��ּ��㷨��˱��Ϊ���õļ��㷨��

�ڰ�ȫl�ӹ��У��ͻ��ͷ��ͬ��ʹ�ÿ��Խ��ͨ�ŵ��ǿ��ļ��㷨��Դ� SSL 2.0��SSL 3.0 �� TLS Э��ѡ��㷨��

ֻ��ܹ�̲��ȷ��Ϣ�İ�ȫ��ʹ�ü��㷨��ͬʱ��ʹ��Կ��Դﵽ��ļ��Ч��ǰ��ܵ��Ϣ��ܹ��ʹ��}��Կ��ô�Ч��Կ��ר��Կ��ʹ�ù��Կ��ܵ��Ϣֻ��ʹ�ù�j��ר��Կ��н��ܡ��Կ��֤�鷢��ܱ��ֻ�й�j��ר��Կ��


ע	SSL 2.0 ��԰�ȫ�Ժ��ܽ��˸��ơ��Ǵ��޷�ʹ�� SSL 3.0 �Ŀͻ��벻Ҫʹ�� SSL 2.0��ͻ��֤�鲢�ǿ϶��ʹ�� SSL 2.0 ��㷨��

�йظ��ּ��㷨�׼��˵��Լ��Կ��֤��ĸ��Ϣ��μ� Introduction to SSL��

Ҫָ��ʹ�õļ��㷨�� Proxy Server �û��б��н��ѡ�񡣳��г�ֵ��ɲ�ʹ��ض��ļ��㷨��Ӧѡ��ȫ��㷨��ܿ��ܲ��ϣ��ü��Ч��ŵļ��㷨��

SSL �� TLS Э��

Proxy Server ֧�ּ��ͨ�ŵ� SSL �� TLS Э�顣SSL �� TLS ��b��Ӧ�ó��򣬲��Ͽ�͸��߼��Э�顣

SSL �� TLS Э��֧��ڷ��Ϳͻ��໥��֤��֤��ͽ�b�Ự��Կ�ĸ��ּ��㷨��ͻ��ͷ��֧�ָ��ּ��㷨�׼��㷨��ϣ��ȡ��ڸ��أ��֧�ֵ�Э�顢��˾�йؼ��ǿ�ȵ��Լ��Լ��ڵ��ơ��У�SSL �� TLS ��Э�齫ȷ��Ϳͻ��Э��Ծ��4ͨ�ŵļ��㷨�׼��

ʹ�� SSL �� LDAP ͨ��

��Ӧ��Ҫ�� Administration Server ʹ�� SSL �� LDAP ��ͨ�š�

�� Administration Server �� SSL


ע��	�벻Ҫѡ�� "Enable No Encryption, Only MD5 Authentication"��ͻ��û��㷨��Ĭ��ʹ�ô��Ҳ��м��ܡ�

�� Administration Server �� "Global Settings" ѡ���

�� "Configure Directory Service" t�ӡ�

��ʾ�ı��У��Ŀ¼��t�ӡ��ʾ "Configure Directory Service" ҳ�档��δ�� LDAP ��Ŀ¼�� "Create New Service of Type" ��-ʽ�б��ѡ�� "LDAP Server"��Ȼ�󵥻� "New" ��Ŀ¼��й�Ϊ�� LDAP Ŀ¼��ʾ��ض��ֶεĸ��Ϣ��μ�j��

ѡ�� "Yes" ʹ�� SSL ��l�ӣ�Ȼ�󵥻� "Save Changes"��

ͨ�� Proxy Server ��b SSL ��

�� Proxy Server��ת��ж�ͻ��ͨ��˴��밲ȫ�� SSL l��ʱ��밲ȫ��l�ӣ�Ȼ��ֻ˫��ݣ��Ԥ��ȫ��񡣴˹�̳�Ϊ��b SSL ��#��ͼ��ʾ��

ͼ 5-1 ��b SSL l��ʱ��Proxy Server �޷��鿴�Լ��͵��ݡ�

Ҫ�� HTTPS URL ʹ�� SSL ��#��ͻ��֧�� SSL �� HTTPS��HTTPS ͨ��Ա�׼ HTTP ʹ�� SSL ʵ�֡��֧�� HTTPS �Ŀͻ��ͨ��ʹ�� Proxy Server �� HTTPS ��?��Ҳ��Է�� HTTPS �ĵ��

SSL ��ǽϵͼ��Ļ��Ӱ��Ӧ�ó�� (HTTPS)��SSL ��δʹ�ô�� SSL һ��ȫ��м��ڵĴ��԰�ȫ�Թ��κθ��Ӱ��򽵵� SSL �Ĺ��ܡ�

ʹ�� SSL ʱ��ᱻ��ܣ��˴��޷��ʵ��ˣ��־�޷��г��Զ�̷��յ�״̬��ͷ��ȡ��Ҳ��ֹ�˴��κε��

��ڴ��޷��鿴��ݣ��޷��֤�ͻ��Զ�̷��֮��ͨ��Э��Ƿ�Ϊ SSL��ζ�Ŵ��Ҳ�޷��ֹ��Э��ͨ��Ӧ�� SSL ��Ϊ��l�� Internet ��Ȩ�� (IANA) ��ĳ�� SSL �˿ڣ�� HTTPS �� 443 �˿ں� SNEWS �� 563 �˿ڡ��˿��а�ȫ��վ�㣬��ȷ�涨��ĳЩ��l��˿ڡ��˲��ͨ�� connect://.* ��Դ��ɡ�

SSL ��9��ʵ��һ�� SOCKS �ĳ��湦�ܣ��b��Э�飬��Ҳ�ɶ��ʹ�ô˹��ܡ�Proxy Server ��Ϊ֧�� SSL ��κ�Ӧ�ó�� SSL ��#�� HTTPS �� SNEWS Э�顣

�� SSL ��

��ʷ��ʵ�� Server Manager��Ȼ�󵥻� "Routing" ѡ���

�� "Enable/Disable Proxying" t�ӡ�

��-ʽ�б��ѡ�� connect://.*.443 ��Դ��connect:// ��ڲ��ʾ��ڴ��ⲻ��á��й� connect �ĸ��Ϣ��μ� SSL ��ϸ��Ϣ�е��Ҫ��l��˿ڣ��ʹ��ģ��Ƶ� URL ģʽ��й�ģ��ĸ��Ϣ��μ��ģ��Դ��

ѡ�� "Enable Proxying Of This Resource"��Ȼ�󵥻� "OK"��

SSL ��ϸ��Ϣ


ע��	��ô��ܷ�� SSL ��4ʵ��Զ�̵�¼��Ծ��Щ�˻��ô��ʹԶ�̵�¼l��ʾΪ4�Դ��ʵ��l�ӵ��ˣ��ȷʵ��Ҫ�Ķ˿��ⲻ��˿ڣ��Ҫ�Դ��ʹ�÷��ʿ��ƣ��ƿͻ��

HTTP/1.0 200 Connection established
Proxy-agent: Sun-Java-System-Web-Proxy-Server/4.0

��ڿͻ��Զ�̷��֮�佨bl�ӣ��ݿ�˫��ͣ�ֱ��κ�һ��ر�l�ӡ�

ʵ��ϣ�Ϊ��ڻ�� URL ģʽ�ı�׼��û��ƣ��Ͷ˿ں� (energy.example.com:443) ��Զ�ӳ�䵽 URL �У��ʾ��

connect:// ֻ�� Proxy Server ʹ�õ��ڲ��ʾ��ʹ��ø��ײ�� URL ģʽһ�¡�� Proxy Server ֮�⣬�� connect URL�� Proxy Server ��յ�� URL ʱ��Ὣ��Ϊ��Ч��ܾ�Ϊ��ṩ��

Ϊ��׽��ð�ȫ��

�򿪰�ȫ��

Ϊ��׽��ȫ��֮ǰ��򿪰�ȫ�ԡ��ڴ��µ��׽��ֻ�༭��׽��ʱ�򿪰�ȫ�ԡ�

��׽��ʱ�򿪰�ȫ��

�� Administration Server �� Server Manager��Ȼ�󵥻� "Preferences" ѡ���

�� "Add Listen Socket" t�ӡ�

��Ϣ��Ҫ�򿪰�ȫ�ԣ�� "Security" ��-ʽ�б��ѡ�� "Enabled"��Ȼ�󵥻� "OK"��ע�⣬��δ��װ��֤�飬��ֻ��ѡ�� "Disabled"��й��ض��õĸ��Ϣ��μ�j��



ע	��׽��ֺ�ʹ�� "Edit Listen Sockets" t��4��ð�ȫ��á�

�༭��׽��ʱ�򿪰�ȫ��

ѡ��׽��ֵķ��֤��

�� Administration Server �� Server Manager ��׽��֣��ʹ��Ͱ�װ�ķ��֤�顣

Ϊ��׽��ѡ��֤��


ע	��ٰ�װһ��֤�顣

�� Administration Server �� Server Manager��Ȼ�󵥻� "Preferences" ѡ���

�� "Edit Listen Sockets" t�ӡ�

��Ҫ�༭��׽��ֵ�t�ӡ�

Ҫ�򿪰�ȫ�ԣ�� "Security" ��-ʽ�б��ѡ�� "Enabled"��Ȼ�󵥻� "OK"��ע�⣬��δ��װ��֤�飬��ֻ��ѡ�� "Disabled"��

ѡ�� "Enabled" �� "OK" �� "Server Certificate Name" ��-ʽ�б��Ϊ��׽��ѡ��֤�飬Ȼ�󵥻� "OK"��

ѡ��㷨

Ҫ�� Proxy Server �İ�ȫ�ԣ�Ӧ�� SSL�� SSL 2.0��SSL 3.0 �� TLS ��Э�鲢ѡ��ּ��㷨�׼��׽��Ϊ Administration Server �� SSL �� TLS Э�顣��׽��Ϊ Server Manager �� SSL �� TLS ��Ϊ�ض��ķ��ʵ��ð�ȫ��ѡ���ٰ�װһ��֤�顣


ע	��׽�� SSL ֻ��ڷ��?��֮��ֻ�н� Proxy Server ��Ϊִ�з��ʱ�ſ�Ӧ�á�

Ĭ��ʹ���õļ��㷨��г�ֵ��ɲ�ʹ��ض��ļ��㷨�׼��Ӧȫ��ѡ�С��й��ض��㷨�ĸ��Ϣ��μ� Introduction to SSL��

ϵͳ�� TLS �ع��Ĭ�Ϻ��Ƽ��Ϊ "Enabled"��Ὣ��Ϊ��Ϊ�汾�ع��Ҫʵ��ĳЩδ��ȷʵ�� TLS �淶�Ŀͻ��Ļ��ԣ��Ҫ��ֵ��Ϊ "Disabled"��

��ע�⣬�� TLS �ع�ʹl��⵽�汾�ع��汾�ع��һ�ֻ��ƣ��ͨ��ֻ��ǿ�ƿͻ��ͷ��ʹ�ð�ȫ�Խϵ͵��Э�飨�� SSL 2.0��ͨ�š�� SSL 2.0 Э��д��֪��ȱ�ݣ��޷��⵽�汾�ع��ͼ��ʹ�õ��׽�ȡ�ͽ��ܼ��ܵ�l�ӡ�

�� SSL �� TLS

�� Administration Server �� Server Manager��Ȼ�󵥻� "Preferences" ѡ���

�� "Edit Listen Sockets" t�ӣ�Ȼ�󵥻�Ҫ�༭��׽��ֵ�t�ӡ��ڰ�ȫ��׽��֣��ʾ��õļ��㷨��á�



ע	��׽��δ��ð�ȫ�ԣ��򲻻��г��κ� SSL �� TLS ��Ϣ��Ҫʹ�ü��㷨��ȷ��ѡ��׽��˰�ȫ�ԡ��йظ��Ϣ��μ�Ϊ��׽��ð�ȫ��

ѡ��ö�Ӧ�ĸ�ѡ��Ȼ�󵥻� "OK"��



ע	�� Netscape Navigator 6.0��ѡ�� TLS �� SSL 3.0�� TLS �ع�ҲҪѡ�� TLS��ȷ�� SSL 3.0 �� SSL 2.0��

�ڷ�� SSL �� URL ��ʹ�� https�� http��ָ�� SSL �ķ��ĵ�� URL ��¸�ʽ��

ȫ��ð�ȫ��

��װ�� SSL �ķ�� magnus.conf �ļ��ļ��Ϊȫ�ְ�ȫ�Բ��ָ��Ŀ��

�� SSL ��ļ�ָ��ֵ

��Щ SSL ��ļ�ָ��˵��й� magnus.conf �ĸ��Ϣ��μ� Proxy Server Configuration File Reference��

SSLSessionTimeout

�﷨

�� seconds �ǻ�� SSL �Ự��Ч��Ĭ��ֵΪ 100 �롣��ָ�� SSLSessionTimeout ָ���ֵ��Զ��޶�Ϊ 5 �� 100 ֮�䡣

SSLCacheEntries

SSL3SessionTimeout

�﷨

�� seconds �ǻ�� SSL 3.0 �Ự��Ч��Ĭ��ֵΪ 86400 �루24 Сʱ��ָ�� SSL3SessionTimeout ָ���ֵ��Զ��޶�Ϊ 5 �� 86400 ֮�䡣

ʹ��ⲿ��ģ��

��װ PKCS #11 ģ��

Proxy Server ֧�ֹ��Կ��ܱ�׼ (PKCS) #11��ñ�׼�� SSL �� PKCS#11 ģ��֮��ͨ��õĽӿڡ�PKCS #11 ģ��ָ�� SSL Ӳ��Ļ��ڱ�׼��l�ӡ��ⲿӲ��ĵ��֤��Կ�洢�� secmod.db �ļ��У��ļ��ڰ�װ PKCS #11 ģ��ʱ��ɡ��ļ�λ�� server_root/alias Ŀ¼�С�

ʹ�� modutil ��װ PKCS #11 ģ��

��ʹ�� modutil �� .jar �ļ��ļ��ʽ��װ PKCS #11 ģ�顣

ʹ�� modutil ��װ PKCS #11 ģ��

ȷ��( Administration Server ��ڵ��з��ѹرա�

ת�p��ݿ�� server_root/alias Ŀ¼��

�� server_root/bin/proxy/admin/bin ��ӵ� PATH �С�

�� server_root/bin/proxy/admin/bin ��ҵ� modutil��

��û��磺

�� UNIX �ϣ�setenv

LD_LIBRARY_PATH server_root/bin/proxy/lib:${LD_LIBRARY_PATH}

�� Windows �ϣ��ӵ� PATH

LD_LIBRARY_PATH server_root/bin/proxy/bin

��Ŀ¼��ҵ�� PATH��server_root/proxy-admserv/start��

��modutil��г��ѡ�

ִ��Ĳ��

��磬Ҫ�� UNIX �� PCKS #11 ģ�飬��룺

modutil -add��PKCS#11 �ļ����-libfile��PKCS #11 �� libfile�� -nocertdb -dbdir���� db Ŀ¼��

ʹ�� pk12util

ʹ�� pk12util ��Դ��ڲ��ݿ��е��֤��Կ��䵼��ڲ��ⲿ PKCS #11 ģ�顣��Խ�֤��Կʼ�յ��ڲ��ݿ��У��ⲿ��Ʋ��֤��Կ��Ĭ��£�pk12util ʹ��Ϊ cert8.db �� key3.db ��֤��Կ��ݿ⡣

ʹ�� pk12util ��

��ڲ��ݿ⵼��֤��Կ

ת�p��ݿ�� server_root/alias Ŀ¼��

�� server_root/bin/proxy/admin/bin ��ӵ� PATH �С�

�� server_root/bin/proxy/admin/bin ��ҵ� pk12util��

��û��磺

�� UNIX �ϣ�setenv

LD_LIBRARY_PATH/server_root/bin/proxy/lib:${LD_LIBRARY_PATH}

�� Windows �ϣ��ӵ� PATH

LD_LIBRARY_PATH server_root/bin/proxy/bin

��Ŀ¼��ҵ�� PATH��server_root/proxy-admserv/start��

��pk12util��г��ѡ�

ִ��Ĳ��

��磬�� UNIX ��룺

pk12util -o certpk12 -n Server-Cert [-d /server/alias] [-P https-test-host]

��ݿ��

�� pkcs12 ��

ʹ�� pk12util ��

��֤��Կ��ڲ��ⲿ PKCS #11 ģ��

ת�p��ݿ�� server_root/alias Ŀ¼��

�� server_root/bin/proxy/admin/bin ��ӵ� PATH �С�

�� server_root/bin/proxy/admin/bin ��ҵ� pk12util��

��û��磺

�� UNIX �ϣ�setenv

LD_LIBRARY_PATH/server_root/bin/proxy/lib:${LD_LIBRARY_PATH}

�� Windows �ϣ��ӵ� PATH

LD_LIBRARY_PATH server_root/bin/proxy/bin

��Ŀ¼��ҵ�� PATH��server_root/proxy-admserv/start��

��pk12util��г��ѡ�

ִ��Ĳ��

��磬�� UNIX ��룺

pk12util -i pk12_sunspot [-d certdir][-h "nCipher"][-P https-jones.redplanet.com-jones-]

-P �� -h ��棬��ұ��һ��

��ȷ��(��֮��Ĵ�д��ĸ�Ϳո�

��ݿ��

�� pkcs12 ��

ʹ��ⲿ֤��

��֤�鰲װ��ⲿ PKCS #11 ģ�飨��磬Ӳ��޷�ʹ�ø�֤��Ƕ� server.xml �ļ��б༭��ָ��֤��

��ʼ�ճ��ʹ��Ϊ Server-Cert ��֤��ⲿ PKCS #11 ģ��е�֤�飬��ʶ��л��ģ��ĳ��磬��Ϊ smartcard0 ��ⲿ��ܿ��ȡ��ϰ�װ�ķ��֤��ᱻ��Ϊ smartcard0:Server-Cert��

Ҫʹ�ð�װ��ⲿģ��е�֤��Ϊ��з��׽��ָ��֤��ơ�

Ϊ��׽��ѡ��֤��

��δ��׽��ð�ȫ�ԣ��򲻻��г�֤��Ϣ��ҪΪ��׽��ѡ��֤��ƣ��ȱ��ȷ��Ѷ��׽��ð�ȫ�ԡ��йظ��Ϣ��μ�Ϊ��׽��ð�ȫ��

��Ҳ��ֶ��༭ server.xml �ļ��÷��ʹ�ø÷��֤�� SSLPARAMS �е� servercertnickname ��Ը��Ϊ��

Ҫ�� $TOKENNAME ʹ�õ�ֵ��ת�w�� "Security" ѡ���ѡ�� "Manage Certificates" t�ӡ��¼��洢 Server-Cert ��ⲿģ��ʱ��$TOKENNAME:$NICKNAME �?��б��н��ʾ��֤�顣



ע	��δ��ݿ⣬��Ϊ�ⲿ PKCS #11 ģ��װ֤��ʱ��һ��ݿ⡣��Ĭ��ݿ�û�п����޷��ʡ��ⲿģ�齫��Ͱ�װ��֤�顣��Ĭ��ݿ�û�п����ʹ�� "Security" ѡ��ϵ� "Create Database" ҳ��4��ÿ��

FIPS-140 ��׼

ͨ�� PKCS #11 API ��ִ�м��ܲ��Ӳ��ģ��ͨ�š�� Proxy Server �ϰ�װ PKCS #11 ֮�󣬿ɽ��Ϊ�� (FIPS)-140 ��ݣ�FIPS ��“j��Ϣ��׼”��Щ��ֻ�� SSL 3.0 �С�

�� FIPS-140

�� FIPS-140 �е�˵��װ�ò��

�� Administration Server �� Server Manager��Ȼ�󵥻� "Preferences" ѡ���

�� "Edit Listen Sockets" t�ӡ��ڰ�ȫ��׽��֣�"Edit Listen Socket" ҳ�潫��ʾ��õİ�ȫ��á�



ע	Ҫʹ�� FIPS-140��ȷ��ѡ��׽��˰�ȫ�ԡ��йظ��Ϣ��μ�Ϊ��׽��ð�ȫ��

�� SSL �汾 3 ��-ʽ�б��ѡ�� "Enabled"��δѡ�񣩡�

ѡ��ʵ�� FIPS-140 ��㷨�׼��Ȼ�󵥻� "OK"��

�� 168 λ�� Triple DES �� SHA ��֤ (FIPS)

�� 56 λ�� DES �� SHA ��֤ (FIPS)

��ÿͻ��ȫҪ��

�ͻ��֤�� SSL l�Ӳ��Ǳز��٣��ȷ��Ϊ��Ϣ��͸��ȷ��շ��ṩ��ı�֤��ڷ��ʹ�ÿͻ��֤��ȷ��ݷ��δ��Ȩ�Ĵ��ͻ��Ϣ��

Ҫ��ͻ��֤

��Ϊ Administration Server ��ÿ��ʵ��׽��֣��Ҫ��ͻ��֤��ÿͻ��֤�󣬱��߱��ͻ��֤�飬��ܽ��Ӧ��͸��ѯ��

Proxy Server ֧��ͨ��ͻ��֤��е� CA ��ǩ��ͻ��֤�� CA ��ƥ��4��֤�ͻ��֤�顣�� "Security" ѡ��ϵ� "Manage Certificates" ҳ��в鿴��ǩ��ͻ��֤�� CA ��б?

��Զ� Proxy Server ��ã��Ծܾ�û��4�Կ�� CA �Ŀͻ��֤��κοͻ��Ҫ��ܻ�ܾ��ε� CA��Ϊ CA ��ÿͻ��Ρ��йظ��Ϣ��μ��֤��

��֤��ѹ��ڣ�Proxy Server ��¼��󡢾ܾ�֤�鲢��ͻ��һ��Ϣ��Ҳ��Դ� "Manage Certificates" ҳ��в鿴�ѹ��ڵ�֤�顣

��ԶԷ��ã��Ա�ӿͻ��֤��ռ��Ϣ�� LDAP Ŀ¼�е��û��Ŀ��ƥ�䡣��ȷ��ͻ��Ч��֤�� LDAP Ŀ¼�е��Ŀ��һ��ȷ��ͻ��֤�� LDAP Ŀ¼�е�֤��ƥ�䡣Ҫ�˽��ν��д˲��μ��ͻ��֤��ӳ�䵽 LDAP��

��Խ��ͻ��֤��ͷ��ʿ��ƽ��ʹ�ã��Ա��4��ε� CA ��⣬��֤��j��û��ʿ��ƹ�� (ACL) ��ƥ�䡣�йظ��Ϣ��μ�ʹ�÷��ʿ��ļ��

Ҫ��ͻ��֤

��еĿͻ��֤

��-��֤-�ͻ��ʹ�ô˷��ʱ��з��Ҫ��֤��пͻ��ʣ��ֻ��з��Ҫ��֤�鲢�� Proxy Server �ķ��ʿ��б��ϵ��Ͽ��û��Ŀͻ��ʡ�

��ݷ��-��֤-��ʹ�ô˷��ʱ��ȷ��ݷ�� Proxy Server ��ʵ��l�ӡ�

��-��֤-�ͻ��ݷ��-��֤-���˷��Ϊ��ṩ��ѵİ�ȫ�Ժ��֤��

�ڷ��ÿͻ��֤

��ȫ��еĿͻ��֤Ϊȷ��l�ӵİ�ȫ��ṩ�˽�һ��ı��ϡ��˵��θ��ѡ��ÿͻ��֤��

��-��֤-�ͻ��

��“��-��֤-�ͻ��”��


ע	ÿ��ٶ��ͬʱӵ�а�ȫ��“�ͻ��-��”l�ӺͰ�ȫ��“��-��ݷ��”l�ӡ�

��“��÷��”��ð�ȫ“�ͻ��-��”�Ͱ�ȫ“��-��ݷ��”��˵��ʹ�÷��

��ʷ��ʵ�� Server Manager��Ȼ�󵥻� "Preferences" ѡ���

�� "Edit Listen Sockets" t�ӣ�Ȼ��ʾ�ı��е��׽��ֵ�t�ӡ��ʹ�� "Add Listen Socket" t�ӿ��ú��׽��֡��

ָ��ͻ��֤Ҫ��

Ҫ��߱��Ч֤��û��ʣ�

�� "Security" ��֣�ʹ�� "Client Authentication" ��Ҫ��ڴ��׽��Ͻ��пͻ��֤��ע�⣬��δ��װ��֤�飬��ý��ɼ�

Ҫ��Ⱦ߱��Ч֤��ڷ��ʿ��б�ָ��Ϊ�ɽ��û��û��ʣ�

�� "Security" ��֣�� "Client Authentication" ��ñ��Ϊ�ر�״̬��ע�⣬��δ��װ��֤�飬��ý��ɼ�

�ڸ÷��ʵ�� Server Manager "Preferences" ѡ��ϣ�� "Administer Access Control" t�ӡ�

ѡ��һ�� ACL��Ȼ�󵥻� "Edit" ��ť��ʾ "Access Control Rules For" ҳ�棨��ʾ��Ƚ��֤��

�򿪷��ʿ��ƣ��δѡ�� "Access control Is On" ��ѡ��뽫��ѡ�У��

�� Proxy Server ��Ϊ��Ϊ��֤��йظ��Ϣ��μ��÷��

��ʿ��ƹ�� "Rights" t�ӣ��²��ָ��Ȩ�ޣ�Ȼ�󵥻� "Update" ��¸��Ŀ��

�� "Users/Groups" t�ӡ��²��У�ָ��û��飬ѡ�� SSL ��Ϊ��֤��Ȼ�󵥻� "Update" ��´��Ŀ��

��ϲ��е� "Submit"��ݡ�

�йط��ʿ��õĸ��Ϣ��μ��ƶԷ��ķ��

��ݷ��-��֤-��

��“��ݷ��-��֤-��”��

��÷��ж��ð�ȫ“�ͻ��-��”�Ͱ�ȫ“��-��ݷ��”��˵��в��

��ݷ��ϣ��򿪿ͻ��֤��



ע	��Խ��˷��޸�Ϊ�� Proxy Server ��зǰ�ȫ�ͻ��l�ӡ��ݷ��а�ȫl�ӣ��ʹ��ݷ��֤ Proxy Server��Ҫִ�д˲��رռ��ܣ��ʹ��²��ʼ��֤�顣

��-��֤-�ͻ��ݷ��-��֤-��

��“��-��֤-�ͻ��ݷ��-��֤-��”��

��ͻ��֤��ӳ�䵽 LDAP

��ڽ�� Proxy Server ��ͻ��֤��ӳ�䵽 LDAP Ŀ¼�е��Ŀʱʹ�õĹ�̡�

��յ�4�Կͻ��ڴ��֮ǰ��Ҫ�ͻ��֤�顣ĳЩ�ͻ��ͬʱ��Ϳͻ��֤�顣

��Բ鿴�� CA �Ƿ�� Administration Server �е�ĳ�� CA ��ƥ�䡣��ƥ�䣬Proxy Server ��l�ӡ��ܹ��ҵ�ƥ�� CA��

��֤֤��4��ε� CA ֮�󣬷��ͨ��ִ��²��֤��ӳ�䵽ĳ�� LDAP ��Ŀ��


ע	��ͻ��֤��ӳ�䵽 LDAP ֮ǰ�� ACL��йظ��Ϣ��μ��ƶԷ��ķ��

��ʹ��Ϊ certmap.conf ��֤��ӳ��ļ�4ȷ��ν�� LDAP ��ӳ��ļ��߷��Ҫʹ�ÿͻ��֤��е��Щֵ��û��ơ��ʼ��ַ�ȣ��ʹ��Щֵ�� LDAP Ŀ¼�е��û��Ŀ��ȱ��ȷ�� LDAP Ŀ¼�е��ĸ�λ�ÿ�ʼ��֤��ӳ��ļ�Ҳ��߷��ʼ��λ�á�

��˽⿪ʼ��λ�ú��Ҫ��ݣ��һ�㣩֮�󣬽�� LDAP Ŀ¼��ִ��ڶ��㣩��δ�ҵ�ƥ��Ŀ��ҵ��ƥ��Ŀ��ӳ��δ��Ϊ��֤֤�飬��ʧ�ܡ�

�±��г��Ԥ�ڵ��Ϊ��ע�⣬�� ACL ��ָ��Ԥ��Ϊ��磬��ָ��֤��ƥ��ʧ�ܺ�Proxy Server ֻ��ʡ��й�� ACL ��ѡ��ĸ��Ϣ��μ�ʹ�÷��ʿ��ļ��

�� 5-1 LDAP ��
LDAP ��	֤��֤��	֤��֤�ر�
δ�ҵ��Ŀ	��֤ʧ��	��֤ʧ��
ֻ�ҵ�һ��Ŀ	��֤ʧ��	��֤�ɹ�
�ҵ��Ŀ	��֤ʧ��	��Ȩʧ��

�� LDAP Ŀ¼��ҵ�ƥ��Ŀ��֤��󣬼��ʹ�ø��Ϣ��磬ĳЩ��ʹ��֤��-��-LDAP (certificate-to-LDAP) ӳ��4ȷ��ĳ̨��ķ��Ȩ�ޡ�

ʹ�� certmap.conf �ļ�

֤��ӳ��ȷ�� LDAP Ŀ¼�в��û��Ŀ�ķ�ʽ��ʹ�� certmap.conf ��֤�飨��ָ��ӳ�䵽 LDAP ��Ŀ�ķ�ʽ��Ա༭��ļ��Ŀ�� LDAP Ŀ¼��֯�ṹ��г�ϣ��û�ӵ�е�֤�顣�û��Ի�� subjectDN ��ʹ�õ��û� ID��ʼ��κ�ֵ��֤��ԣ�ӳ��ļ��ɶ��Ϣ��

��ļ��һ��ӳ�䣬ÿ��ӳ�䶼Ӧ��ڲ�ͬ�� CA��ӳ��﷨��£�

��һ��ָ��Ŀ��Լ��γ� CA ֤��Ψһ��Ƶ��ԡ�name ��ģ��Զ��ΪԸ��ʹ�õ��κ��ơ��ǣ�issuerDN ��䷢�ͻ��֤�� CA �İ䷢�� DN ��ȫƥ�䡣��磬��}�а䷢�� DN ��ڷָ��ԵĿո��죬��Ϊ}��ͬ��Ŀ��

certmap sun1 ou=Sun Certificate Authority,o=Sun,c=US
certmap sun2 ou=Sun Certificate Authority, o=Sun, c=US


��ʾ	��ʹ�õ�� Sun Java System Directory Server��ƥ��䷢�� DN ��⣬�� Directory Server ��־��Ƿ��õ��Ϣ��

��ӳ��еĵڶ��к��н��ֵ��ƥ�䡣certmap.conf �ļ��а��Ĭ��ԣ��ʹ��֤�� API �Զ��ԣ��

DNComps ��һϵ��ɶ��ŷָ��ԣ��ȷ�� LDAP Ŀ¼�δ��ʼ��ƥ��û��ͻ��֤��ߣ��Ϣ��Ŀ��ӿͻ��֤��ռ��Щ��Ե�ֵ��Щֵ�γ� LDAP DN��Ȼ�󼴿�ȷ�� LDAP Ŀ¼��ĸ�λ�ÿ�ʼ��磬�� DNComps ��Ϊʹ�� DN �� o �� c ��ԣ�� LDAP Ŀ¼�е� o=org��c= country ��Ŀ��ʼ�� org �� country ��滻Ϊ֤�� DN �е�ֵ��

��ע��

��ӳ��в�� DNComps ��Ŀ��ʹ�� CmapLdapAttr ��û�ͻ��֤��е�� DN��û��Ϣ��

�� DNComps ��Ŀ��ڵ�û�ж�Ӧ��ֵ�� LDAP ��ƥ��Ŀ��

��磬�� FilterComps ��Ϊʹ�õ��ʼ��û� ID �� (FilterComps=e,uid)��Ŀ¼��ʼ��û� ID ��ֵ��ӿͻ��֤��ռ��û��Ϣ��ƥ��Ŀ��ʼ��ַ��û� ID �Ƿǳ��õĹ��Ϊ��Ŀ¼��ͨ��Ψһ�ġ��Ҫ�ǳ��壬��ֻ�� LDAP ��ݿ��е�Ψһ��Ŀƥ�䡣

��Ӧ��֤��е�� LDAP Ŀ¼�е��磬ĳЩ֤��У��û��ĵ��ʼ��ַ��Ϊ e�� LDAP ��Ƹ��Ϊ mail��

�±��г�� x509v3 ֤��ԡ�

�� 5-2 x509v3 ֤��
��	˵��
c	��/��
o	��֯
cn	ͨ��
l	λ��
st	״̬
ou	��֯��λ
uid	UNIX/Linux �û� ID
email	��ʼ��ַ

verifycert ��߷��Ƿ�Ҫ��ͻ��֤�� LDAP Ŀ¼��ҵ��֤��Ƚϡ��ʹ��}��ֵ��on �� off��ֻ�� LDAP Ŀ¼�а�֤��ʱ��Ҫʹ�ô��ԡ��˹��ȷ��û�ʹ�õ�֤��Ч��δ��ء�

CmapLdapAttr �� LDAP Ŀ¼�а��û��֤�� DN ��ơ��Ե�Ĭ��ֵΪ certSubjectDN��Բ��Ǳ�׼�� LDAP ��ԣ��Ҫʹ�ø��ԣ��)չ LDAP ģʽ��йظ��Ϣ��μ� Introduction to SSL��

�� certmap.conf �ļ��д��ڴ��ԣ�� LDAP Ŀ¼��ԣ��Դ�� DN��֤��л�ã��ƥ��Ŀ��δ�ҵ��κ��Ŀ��ʹ�� DNComps �� FilterComps ӳ��

��ʹ�� DNComps �� FilterComps ƥ��Ŀ��'��ʱ��ڽ�֤�� LDAP ��Ŀ��ƥ��ķ��ǳ��á�

��Զ��

��ʹ�ÿͻ��֤�� API ��Լ��ԡ��Զ��ӳ��󣬾Ϳ��¸�ʽ��ӳ�䣺

certmap default1 o=Sun Microsystems, c=US
default1:library /usr/sun/userdb/plugin.so
default1:InitFn plugin_init_fn
default1:DNComps ou o c
default1:FilterComps l
default1:verifycert on

ӳ��

certmap.conf �ļ��Ӧ��ٰ�һ��Ŀ��ʾ��˵��ʹ�� certmap.conf �Ĳ�ͬ��ʽ��

ʾ�� 1

certmap default default
default:DNComps ou, o, c
default:FilterComps e, uid
default:verifycert on

�ڱ�ʾ��У��ڰ� ou=orgunit, o=org, c=country ��Ŀ�� LDAP ��֧�㴦��ʼ��е�б��ı��滻Ϊ�ͻ��֤�� DN ��ֵ��

Ȼ�󣬷��ʹ��֤��еĵ��ʼ��ַ��û� ID ��ֵ�� LDAP Ŀ¼��ƥ��Ŀ��ҵ�ƥ��Ŀʱ��ȽϿͻ��͵�֤��ʹ洢��Ŀ¼�е�֤�飬��֤��֤�顣

ʾ�� 2

��ʾ��ļ��а�(}��ӳ�䣺һ��Ĭ��ӳ�䣬��һ�� US Postal Service��

certmap usps ou=United States Postal Service, o=usps, c=US
usps:DNComps ou,o,c
usps:FilterComps e
usps:verifycert on

��ճ� US Postal Service ֮��κ��˵�֤��ʱ��ʹ��Ĭ��ӳ�䣬�� LDAP ��Ķ��ʼ��ͻ��ĵ��ʼ��û� ID ��ƥ��Ŀ��֤��4�� US Postal Service��ں��֯��λ�� LDAP ��֧��ʼ��ʼ��ַ��ƥ��Ŀ��ע�⣬��֤��4�� US Postal Service��֤��֤�顣��֤�鲻�ᱻ��֤��

ʾ�� 3


ע��	֤��еİ䷢�� DN�� CA ��Ϣ��ӳ��ĵ�һ��еİ䷢�� DN һ�¡��ʾ��У�4�԰䷢�� DN�� o=United States Postal Service,c=US��֤��Ͳ�ƥ�䣬��Ϊ o �� c ��֮��û�пո�

��ʾ��ʹ�� CmapLdapAttr Property �� LDAP ��ݿ��Ϊ certSubjectDN ��ԣ��Ե�ֵ��ͻ��֤��е�� DN ��ȫƥ�䡣

certmap myco ou=My Company Inc, o=myco, c=US
myco:CmapLdapAttr certSubjectDN
myco:DNComps o, c
myco:FilterComps mail, uid
myco:verifycert on

��ҵ��һ��ƥ��Ŀ��֤��Ŀ��δ�ҵ�ƥ��Ŀ��ʹ�� DNComps �� FilterComps ��ƥ��Ŀ��ڱ�ʾ��У�� o=LeavesOfGrass Inc, c=US �µ��Ŀ�� uid=Walt Whitman��


ע	��ʾ�� LDAP Ŀ¼�а�� certSubjectDN ��Ե��Ŀ��

��ø�ǿ��ļ��㷨

�� Server Manager "Preferences" ѡ��ϵ� "Set Cipher Size" ѡ��ѡ��ʹ�� 168 λ��128 λ�� 56 λ��С��Կ��з�� ޴�С��ơ��ָ��ʱʹ�õ��ļ��δָ��ļ��Proxy Server �� "Forbidden" ״̬��

��ѡ��ڷ��ʵ��Կ��С�� "Security Preferences" �µĵ�ǰ��㷨��ò�һ�£�Proxy Server ��ʾһ��Ի��򣬾��Ҫ��ô��и��Կ��С�ļ��㷨��

��Կ��С��Ƶ�ʵ�ֻ�� obj.conf �е� NSAPI PathCheck ָ��� Service fn=key-toosmall��ָ��Ϊ��

��У�nbits ��Կ��Сλ��filename �ǲ��ʱ��ļ��ơ�

��δ�� SSL ��δָ�� secret-keysize ��PathCheck �� REQ_NOACTION��ǰ�Ự��Կ��СС��ָ�� secret-keysize��״̬Ϊ PROTOCOL_FORBIDDEN �� REQ_ABORTED��δָ�� bong-file��߷�� REQ_PROCEED��·��Ϊ bong-file filename��ң��Կ��С��ǰ�Ự�� SSL �Ự��ʧЧ��Ա��´ε�ͬһ̨�ͻ��l�ӵ��ʱ�� SSL ��֡�

��ø�ǿ��ļ��㷨


ע	"Set Cipher Size" �?�� PathCheck fn=ssl-check ʱ��ɾ��ڶ��ҵ��κ� Service fn=key-toosmall ָ�

��ʷ��ʵ�� Server Manager��Ȼ�󵥻� "Preferences" ѡ���

�� "Set Cipher Size" t�ӡ�

��-ʽ�б��У�ѡ��Ҫ��Ӧ�ø�ǿ��㷨��Դ��Ȼ�󵥻� "Select"��Ҳ��ָ��ʽ��йظ��Ϣ��μ��ģ��Դ��

ѡ��Կ��С��ƣ�

168 λ��

128 λ��

56 λ��

��

ָ��Ҫ�ܾ��ʵ��Ϣ��ڵ��ļ�λ�ã�Ȼ�󵥻� "OK"��

��ȫע��

��˻��ͼ�ƽ��ļ��⣬��ȫ��ա��ٵķ��4��ⲿ��ڲ��ĺڿͣ��ʹ�ø��ַ��ͼ��ķ��Լ��ϵ��Ϣ��ڷ��ü��⣬��Ӧ��ȡ��İ�ȫ�;��ʩ��磬��һ��ȫ�ķ��ڣ��Լ��κβ��ε��˽��ص��ķ��С��ڽ��һЩ��ʹ��ȫ��Ҫ��

��

��ּ򵥵İ�ȫ��ᱻ��ǡ��һ��ķ��У�ֻ��Ȩ��Ա��ܽ��÷��䡣��Է�ֹ�κ��˹��?��ң��й��?��û����Ʊ��˿��

��ƹ��

��ʹ��Զ��ã��ȷ��˷��ʿ��ƣ�ֻ��û��ͼ��й��?��ϣ��Ϊ��û��ṩ�� LDAP ��򱾵�Ŀ¼��Ϣ�ķ��Ȩ�ޣ��뿼��ά��}̨��ʹ��Ⱥ��?�� SSL �Ĺ��һ̨��û��ķ��ʡ��й�Ⱥ��ĸ��Ϣ��μ��Ⱥ��

��ӦΪ Administration Server �򿪼��ܹ��ܡ��ʹ�� SSL l�ӽ��й��?ͨ��ȫ��ִ��Զ�̷��ʱӦ�ø��С�ġ��Ϊ�κ��˶��Խ�ȡ��Ĺ����ķ��

ѡ��ǿ�Ŀ��

��ڷ��ʹ�ö����ר��Կ����ݿ��ȡ��п��Ҫ��һ��Ϊ��иÿ��û��ļ��κη��ר��Կ��һ��Ҫ�Ŀ����˻�ȡ��ר��Կ��ר��Կ����Դ��αװ��ķ��ȡ�͸�ķ��ͨ��Ϣ��

��ñ��Լ��䣬��޷��µ��磬��Խ� MCi12!mo �ǳ� "My Child is 12 months old!"��ӵ��ֺ��յȶ��ǲ��ȫ�Ŀ��

��ƽ�Ŀ��

��Щ�򵥵�ָ��ɰ��ȫ�Ŀ����һ��Ӧ��й��򣬵�ʹ�õĹ��Խ�࣬��Խ��ƽ⡣һЩ��ʾ��

��Ŀ�� PIN

��ö��ڸ��ݿ�/��Կ��ļ�� PIN�� Administration Server �� SSL��ʱ��Ҫ�˿����ڸ�Ŀ��ԶԷ��ṩ��һ��ı��

ֻ��ڱ��ؼ��ϸ�Ĵ˿���йظ�ÿ��ʱ��ע��б?�μ��ƽ�Ŀ��

��ݿ�/��Կ��ļ��

�� "Administration Server" �� "Server Manager"��Ȼ�󵥻� "Security" ѡ���

�� "Change Key Pair File Password" t�ӡ�

�� "Cryptographic Module" ��-ʽ�б��У�ѡ��Ҫ��и�Ŀ��İ�ȫ��ơ�Ĭ��£��ڲ��Կ��ݿ�İ�ȫ��Ϊ "Internal"��װ�� PKCS #11 ģ�飬��г��еİ�ȫ��ơ�

��뵱ǰ��

��¿��

�ٴ��¿���� "OK"��

ȷ��Կ��ļ��ܵ��Administration Server ��Կ��ļ��洢�� server_root/alias Ŀ¼�С�

�˽ⱸ�ݴŴ��Ƿ�洢�˸��ļ��Լ��Ƿ��ܹ�ͨ��ʽ��ȡ��ļ�Ҳ��Ҫ��洢�˸��ļ��񱣻��һ��f��ݡ�

��Ʒ��ϵ��Ӧ�ó��

UNIX �� Linux

С��ѡ�� inittab �� rc �ű��Ľ�̡��벻Ҫ�ڷ�� telnet �� rlogin��Ҳ��Ӧ�ڷ�� rdist��ɷ��ļ��Ҳ��4��·��ϵ��ļ��

Windows

��ֹ�ͻ�� SSL �ļ�

ͨ�� HTML �ļ�� <HEAD> ��У��Է�ֹ�ͻ��ٻ��ǰ��ļ��

��ƶ˿�

��ü��δʹ�õ��ж˿ڡ�ʹ��·��;�ǽ��ÿ��Է�ֹ��С�˿ڼ��κζ˿ڵĲ��l�ӡ��ζ�Ż�ȡ�� Shell ��Ψһ��ͨ��?ʽʹ�÷��ü��Ӧ�Ѵ��ڡ�

�˽��

��ṩ�˷��Ϳͻ��֮��İ�ȫl�ӡ��ͻ��Ϣ֮�󣬷��޷��Ϣ�İ�ȫ�ԣ�Ҳ�޷��ƶԷ��?��Ŀ¼��ļ��ķ��ʡ�

�˽��Щ��Ҫ��磬��ͨ�� SSL l�ӻ�ȡ��ÿ��ţ��Щ��Ƿ�洢�ڷ��ϵİ�ȫ�ļ��أ�SSL l��ֹ��Щ��أ��Ϊ�ͻ��ͨ�� SSL ��͸��κ��Ϣ�ṩ��ȫ��

��һҳ Ŀ¼ �� һҳ
Sun Java System Web Proxy Server 4.0.1 ��ָ��

�� 5 �� ʹ��֤�����Կ

����֤�����֤

����������ݿ�

����������ݿ�

ʹ�� password.conf

�Զ��������� SSL �ķ�����

�Զ��������� SSL �ķ�����

����Ͱ�װ VeriSign ֤��

���� VeriSign ֤��

���� VeriSign ֤��

��װ VeriSign ֤��

��װ VeriSign ֤��

����Ͱ�װ���������֤��

����� CA ��Ϣ

�������������֤��

�������������֤��

��װ���������֤��

��װ���������֤��

Ǩ��֤��

Ǩ��֤��

ʹ�����ø�֤��ģ��

����֤��

����֤��

��װ�͹��� CRL �� CKL

��װ CRL �� CKL

��װ CRL �� CKL

���� CRL �� CKL

���� CRL �� CKL

���ð�ȫ��ѡ��

SSL �� TLS Э��

ʹ�� SSL �� LDAP ͨ��

�� Administration Server ������ SSL

ͨ�� Proxy Server ��b SSL ���

���� SSL ���

���� SSL ���

SSL �����ϸ������Ϣ

Ϊ�����׽������ð�ȫ��

�򿪰�ȫ��

���������׽���ʱ�򿪰�ȫ��

�༭�����׽���ʱ�򿪰�ȫ��

ѡ�������׽��ֵķ�����֤��

Ϊ�����׽���ѡ�������֤��

ѡ������㷨

���� SSL �� TLS

ȫ�����ð�ȫ��

���� SSL �����ļ�ָ���ֵ

SSLSessionTimeout

�﷨

SSLCacheEntries

SSL3SessionTimeout

�﷨

ʹ���ⲿ����ģ��

��װ PKCS #11 ģ��

ʹ�� modutil ��װ PKCS #11 ģ��

ʹ�� modutil ��װ PKCS #11 ģ��

ʹ�� pk12util

ʹ�� pk12util ����

���ڲ���ݿ⵼��֤�����Կ

ʹ�� pk12util ����

��֤�����Կ�����ڲ����ⲿ PKCS #11 ģ��

ʹ���ⲿ֤���������

Ϊ�����׽���ѡ��֤�����

Ϊ�����׽���ѡ��֤�����

FIPS-140 ��׼

���� FIPS-140

���ÿͻ���ȫҪ��

Ҫ��ͻ�����֤

Ҫ��ͻ�����֤

�������������еĿͻ�����֤

�ڷ����������������ÿͻ�����֤

���������-��֤-�ͻ���

����“���������-��֤-�ͻ���”����

���ݷ�����-��֤-���������

����“���ݷ�����-��֤-���������”����

���������-��֤-�ͻ�������ݷ�����-��֤-���������

����“���������-��֤-�ͻ�������ݷ�����-��֤-���������”����

���ͻ���֤��ӳ�䵽 LDAP

ʹ�� certmap.conf �ļ�

�����Զ�������

ӳ������

�� 5 ��
ʹ��֤��Կ

��֤��֤

��ݿ�

��ݿ�

�Զ�� SSL �ķ��

�Զ�� SSL �ķ��

��Ͱ�װ VeriSign ֤��

�� VeriSign ֤��

�� VeriSign ֤��

��Ͱ�װ��֤��

�� CA ��Ϣ

��֤��

��֤��

��װ��֤��

��װ��֤��

ʹ��ø�֤��ģ��

��֤��

��֤��

��װ�͹�� CRL �� CKL

�� CRL �� CKL

�� CRL �� CKL

��ð�ȫ��ѡ��

�� Administration Server �� SSL

ͨ�� Proxy Server ��b SSL ��

�� SSL ��

�� SSL ��

SSL ��ϸ��Ϣ

Ϊ��׽��ð�ȫ��

��׽��ʱ�򿪰�ȫ��

�༭��׽��ʱ�򿪰�ȫ��

ѡ��׽��ֵķ��֤��

Ϊ��׽��ѡ��֤��

ѡ��㷨

�� SSL �� TLS

ȫ��ð�ȫ��

�� SSL ��ļ�ָ��ֵ

ʹ��ⲿ��ģ��

ʹ�� pk12util ��

��ڲ��ݿ⵼��֤��Կ

ʹ�� pk12util ��

��֤��Կ��ڲ��ⲿ PKCS #11 ģ��

ʹ��ⲿ֤��

Ϊ��׽��ѡ��֤��

Ϊ��׽��ѡ��֤��

�� FIPS-140

��ÿͻ��ȫҪ��

Ҫ��ͻ��֤

Ҫ��ͻ��֤

��еĿͻ��֤

�ڷ��ÿͻ��֤

��-��֤-�ͻ��

��“��-��֤-�ͻ��”��

��ݷ��-��֤-��

��“��ݷ��-��֤-��”��

��-��֤-�ͻ��ݷ��-��֤-��

��“��-��֤-�ͻ��ݷ��-��֤-��”��

��ͻ��֤��ӳ�䵽 LDAP

��Զ��

ӳ��

��ø�ǿ��ļ��㷨

��ø�ǿ��ļ��㷨

��ȫע��

��

��ƹ��

ѡ��ǿ�Ŀ��

��ƽ�Ŀ��

��Ŀ�� PIN

��ݿ�/��Կ��ļ��

��Ʒ��ϵ��Ӧ�ó��

��ֹ�ͻ�� SSL �ļ�

��ƶ˿�

�˽��